Skip to content

Latest commit

 

History

History
46 lines (33 loc) · 2.34 KB

017.md

File metadata and controls

46 lines (33 loc) · 2.34 KB

Proud Rusty Mantis

High

Incorrect calculation causing a significantly higher fee

Vulnerability Detail

Upon calculating the sell fee, we have the following code:

// Sell fee increase also considers synthetics critical scaling.
        // So, if synthetics are debased 4% in critical, then the sell fee should be 9% (5% + 4%)
        // Whichever sell fee is greater should be used at any given time
        // we use criticalScaleForNumaPriceAndSellFee because we want to use this scale in our sell_fee only when cf_critical is reached
        (, , uint criticalScaleForNumaPriceAndSellFee, ) = getSynthScaling();

        uint sell_fee_increaseCriticalCF = ((BASE_1000 - criticalScaleForNumaPriceAndSellFee) * 1 ether) / BASE_1000;
        // add a multiplier on top
        sell_fee_increaseCriticalCF = (sell_fee_increaseCriticalCF * sell_fee_criticalMultiplier) / 1000;

        // here we use original fee value increase by this factor
        uint sell_fee_criticalCF;

        if (sell_fee > sell_fee_increaseCriticalCF) sell_fee_criticalCF = sell_fee - sell_fee_increaseCriticalCF;

        // clip it by min value
        if (sell_fee_criticalCF < sell_fee_minimum_critical) sell_fee_criticalCF = sell_fee_minimum_critical;

        uint sell_fee_result = lastSellFee;
        // Whichever sell fee is greater should be used at any given time
        if (sell_fee_criticalCF < sell_fee_result) sell_fee_result = sell_fee_criticalCF;

As stated in the comments above, if synthetics are debased 4%, the sell fee should be 9%, however that does not properly happen in the code and the fee goes to 45% instead.

Attack Path

  1. We calculate sell_fee_increaseCriticalCF using $(1000 - 960) * 1e18 / 1000 = 40 000 000 000 000 000$ (960 implies 4% debase, formula would be $96 * 1000 / 100$)
  2. sell_fee_increaseCriticalCF goes to $40 000 000 000 000 000 * 10000 / 1000 = 400 000 000 000 000 000$
  3. sell_fee_criticalCF is $0.95e18 - 400 000 000 000 000 000 = 550 000 000 000 000 000$
  4. We get the bigger fee which is the lower value due to the fee application, which would be 550 000 000 000 000 000 from the calculation above, that is a fee of 45%

Impact

Significantly higher sell fee

Mitigation

The multiplier causes the fee to be significantly higher than intended. Either remove it or change it to work properly